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Outline 


•  Analysis  integration  problem 

•  Analysis  contracts  approach 

-  Specification 

-  Verification 

•  Experimental  results 


Model  integration  in  CPS 


Aerodynamics 


•  Subtle  mismatches  between  technical  domains 

•  Lead  to  costly  fixes  or  failures 


Analytic  aspect  of  integration 


Analysis 


/ 

Bin  packing 

J 

Analysis 


System 


•  Frequency  scaling  is  applicable  only  when: 

-  used  after  Bin  packing 

-  the  system  is  behaviorally  deadline-monotonic 

•  Otherwise,  frequency  scaling  may  render  the  system  not  schedulable 

•  Hence,  model  consistency  is  not  sufficient  ' 


Analysis  integration  problem 


Analysis 


Analysis 


Domain  2 

•  Out-of-order  execution 

•  Invalidation  of  assumptions 


Existing  solutions 


•  Assume-guarantee  component  composition  does  not  handle 
analytic  integration  of  tools  [1][2]. 

•  Architectural  views  tackle  model  consistency,  not  analytic 
tool  consistency  [3][4] 

•  Meta-level  AADL  languages  do  not  allow  domain-specific 
semantics  [5] 

•  Previous  work  on  contracts:  single  domain  only,  unsound  and 
incomplete  verification  [6] 

[1]  Frehse  et  al.  Assume-guarantee  reasoning  for  hybrid  l/O-automata  by  over-approximation  of 

continuous  interaction,  2004 

[2]  Sangiovanni-Vincentelli  et  al.  Taming  Dr.  Frankenstein:  contract-based  design  for  cyber-physical 

systems,  2013 

[3]  Torngren  et  al.  Integrating  viewpoints  in  the  development  of  mechatronic  products,  2013 

[4]  Rajhans  et  al.  Supporting  heterogeneity  in  cyber-physical  systems  architectures,  2014 

[5]  Boddy  et  al.  The  FUSED  meta-language  and  tools  for  complex  system  engineering,  2011 

[6]  Nam  et  al.  Resource  allocation  contracts  for  open  analytic  runtime  models,  2011  i 
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Outline 


•  Analysis  integration  problem 

•  Analysis  contracts  approach 

-  Specification 

-  Verification 

•  Experimental  results 


Analysis  contracts  approach 


•  Formalize  analysis  domains 

•  Specify  dependencies  and  assumptions  of  analyses 

•  Determine  correct  ordering  of  analyses 

•  Verify  assumptions  of  analyses 
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Outline 


•  Analysis  integration  problem 

•  Analysis  contracts  approach 

-  Specification 

-  Verification 

•  Experimental  results 
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Running  example 


Scheduling 


Battery 


Battery  Scheduling 

Discharge  Charge 

f44- 


System 
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Verification  domain 


Scheduling  domain  a  ^  ^ 

^  sched 


Battery  domain 


System 
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Verification  domain 

•  Domain  a  is  a  many-sorted  signature  {Jl,  S,  %  {[H-a): 

-  Sl\  set  of  sorts  -  system  elements  and  standard 
sorts 

•  E.g.:  Z,  Threads,  Batteries,  SchedPol 

-  5:  ^  X  ...  X  ^  -  static  functions  that  encode 

design  properties 

•  E.g.:  Period,  Diine,  CPU  Bind,  Voltage 

-  X  ...  X  An  ^  Jik  -  runtime  functions  that  encode 
dynamic  properties 

•  E.g.:  CanPrmpV.  Threads  x  Threads  "B 

TN:  Batteries  x  Z  ^  Z 
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Verification  domain 


•  Domain  a  is  a  many-sorted  signature  (Jl,  S,  ^Ki  %  -llll-a)- 

-  execution  semantics  -  set  of  sequences  of 
assignments 

•  E.g.:  thread  scheduler  state  model  for  Osched 

battery  state  model  for  for  Obatt 

-  domain  interpretation  for  RL  and  s 

•  E.g.:  iSchedPol}„  =  {RMS,  DMS,  EDF} 

•  Architectural  model  m  is  an  interpretation  -Il-n,  of  Ji,  s, 
and  T 

-  E.g.:  iThreads'^^  =  {  SensorSample,  Ctrli,  Ctrl2 } 

^CPUBind]f„=  {  (Ctrli,  CPUi),  (Ctr/^,  CPU2),  ...  } 

-  -(ID-a  u  ■Ill'm  is  a  full  interpretation 


Analysis  contract 


•  Given  a  domain  a,  analysis  contract  C  is  a  tuple  (I,  O,  A,  G) 

-  Inputs  I  c  u  5 

-  Outputs  O  Q  S 

-  Assumptions  A  Q  If „ 

-  Guarantees  G^lf„ 

•  Where: 

-  ira::=  {V|3}  Vi..Vn*q>  |  {V|3}  Vi..Vn*<p  :  »|i 

-  q>  is  a  static  logical  formula  over  j?  and  S 

-  »|i  is  an  LTL  formula  over  j?,  s,  and  fl?, 

•  iTa  semantics  is  given  in  a  standard  way 

-  :  means  =>  in  case  of  V,  and  a  in  case  of  3 


Outline 


•  Analysis  integration  problem 

•  Analysis  contracts  approach 

-  Specification 

-  Verification 

•  Experimental  results 
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Contract  I/O  dependencies 

Scheduling 


Frequency  scaling  assumption 


Behavioral  equivalence  to  deadline-monotonic  scheduling 
•  V  t^,  tj!  Threads  •  t2  ^  CPUBind(t^)  =  CPUBind{t2)  : 

G  {CanPrmptit^,  tj)  ^  D//ne(tJ  <  D/ZneCtj)) 


EOF  =  DMS 


P=D 


P=D,  Harmonic,  Sync 


P=D 
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Assumption  verification 


•  SMT  solver  finds  solutions  for  static  fragment  <p 

-  V  t2\Threads  |  t;^  tj  a  CPUBind{t^)  =  CPUBind{t2) 

•  Model  checking  property  qi  in  a  behavioral  Promela 
model  for  each  SMT  solution: 

-  G  {CanPrmptit^,  t2)  ^  Dline{t^)  <  Dline{t2)) 
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Battery  modeling 

Battery 


•  Restrictions  on  acceptable  thermal  configurations 

•  Guarantee:  unacceptable  ones  don't  occur 


I  •  Abstraction:  geometry 
•  Simulates  heat  propagation 
I  •  Cannot  scale  to  dynamic  scheduling: 

I  simulates  only  fixed  cell  configurations 


•  Abstraction:  circuits 

•  Selects  a  scheduler  for  cell  connections 

•  Oblivious  of  heat:  treats  any  configuration 
acceptable  heat-wise 


Battery  scheduling  guarantee 


•  "Bad"  thermal  configurations  not  reachable 


oooo 


o  o  o  o 


OOOG) 


<)  o  o  a 


QOO0 


oooa 


GOOQ 


OOO0 


•  TA/(b,  i)  E  !fi-  number  of  cells  in  b  with  i  thermal 
neighbors 

•  K{b,  i)  E  5  -  experimental  coefficient  for  TA/(b,  i) 

•  Guarantee: 

V  b:  Batteries  •  G  ( I  i=o..3^(b,  i)*TA/(b,  i)  )  >  0 


Battery  modeling 

Battery 


Selects  a  battery  scheduler 

Guarantee:  V  b:  Batteries  •  G  (  X  i=o  i)*7"A/(b,  i)  )  >  0 
Verified  with  battery  Promela/Spin  model 


Determines  K(b,  i)  via  simulation 
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Outline 


•  Analysis  integration  problem 

•  Analysis  contracts  approach 

-  Specification 

-  Verification 

•  Experimental  results 
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Framework  implementation 
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Scalability  evaluation 


•  SMT  solving  typically  takes  less  than  0.1  second 

•  Spin  model  checking  times: 


a 


sched  ■ 


a 


batt  ■ 


Threads 

(R/D)MS 

EOF  time  ■ 

Cells 

FGURR 

FGWRR 

GPWRR 

time 

_  1 

time 

time 

time 

3 

0.01 

0.01 

9 

0.13 

0.15 

0.15 

4 

0.01 

0.52 

12 

0.61 

2.34 

3.94 

5 

0.07 

33.4 

16 

44 

31.4 

127 

6 

0.37 

2290.0 

20 

1060 

619 

Out  Mem 

7 

2.18 

Out  Mem 

25 

Out  Mem 

Out  Mem 

Out  Mem 

8 

12.4 

Out  Mem 

9 

71.2 

Out  Mem 

All  times  are  in  seconds 

10 

421 

Out  Mem 
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11 

Out  Mem 

Out  Mem 

Summary 


•  Analysis  integration  is  error-prone 

-  Incorrect  ordering 

-  Violation  of  implicit  assumptions 

•  Our  solution: 

-  Contract  specification  language 

-  Contract  verification  algorithm 

•  Effective,  extensible,  and  scalable 

•  Future  work: 

-  Assumptions  behind  7"  implementation 

-  Analysis  contracts  for  multiple  views 
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Contracts 


Security  Analysis 

•  AUsec-f^'^  =  {T,ThSecCl},0  =  {NotColoc],A  =  0,G  = 

—  g-.V  t^,t2  ■  ThSecCl{t{)  ^  ThSecCl{t2)  =>  G  NotColoc(t2) 

Multiprocessor  scheduling:  (Binpacking  +  scheduling) 

•  ^^sched-C'.I  =  [T,C,  NotColoc,  Per,WCET,Dline},0  =  {CPUBind},A  =  0,  G  =  [g] 

—  g-.V  ti,t2  •  ^  N  otColocit2)  =>  CPUBindit^')  ^  CPUBind(t2') 

Frequency  Scaling 

•  Anfreqsc-C'l  =  {T,  C ,  CPU  Bind,  Dime],  0  =  {CPUFreq],G  =  0,  A  =  {a} 

—  a:  Vti,t2  •  CPUBind{t{)  =  CPU Bind{t2)’.  G (CanPrmpt{tx,t2')  ^  Dlineit^)  B line (^^2*) 

Model  checking  periodic  program  (REK): 

•  Anfgj^.C:!  =  {T,C,Per,Dline,WCET,CPUBind],0  =  {rh5a/e},G  =  0,A  =  {ai,a2} 

•  ai:Vt  •  Peril]  =  Dlineit),  a2:  Vtj,  £2  •  G (C anprmpt(t j^,  12)  =>  G  ~iCanPrmpt(t2,  ti)) 

Thermal  runaway: 

•  Anj^yierm-C-I  =  [B,  BatRows ,  BatCols, Voltage],  0  =  =  0,G  =  0 

Battery  Scheduling 

•  AUhscfiga-C:  I  =  [B,  BatRows,  BatCols], 0  =  {BatConnSchedPol,  HasReqLifetime  ,SeriqlReq ,  ParalRea],A  =  0,G 

•  5-:  G(/C(0)  X  7^(0)  +  /CCl)  X  ryV(l)  +  /C(2)  X  ryv(2)  +  K(,3]  X  rA^(3)  >  0) 


